./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2131941941

<...>
Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts.
execve("./syz-executor2131941941", ["./syz-executor2131941941"], 0x7ffd3337a910 /* 10 vars */) = 0
brk(NULL)                               = 0x555555630000
brk(0x555555630c40)                     = 0x555555630c40
arch_prctl(ARCH_SET_FS, 0x555555630300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2131941941", 4096) = 28
brk(0x555555651c40)                     = 0x555555651c40
brk(0x555555652000)                     = 0x555555652000
mprotect(0x7f06221a0000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("/syzcgroup", 0777)               = 0
mkdir("/syzcgroup/unified", 0777)       = 0
mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL) = 0
chmod("/syzcgroup/unified", 0777)       = 0
openat(AT_FDCWD, "/syzcgroup/unified/cgroup.subtree_control", O_WRONLY) = 3
write(3, "+cpu", 4)                     = 4
write(3, "+memory", 7)                  = 7
write(3, "+io", 3)                      = 3
write(3, "+pids", 5)                    = 5
close(3)                                = 0
mkdir("/syzcgroup/net", 0777)           = 0
mount("none", "/syzcgroup/net", "cgroup", 0, "net") = -1 EINVAL (Invalid argument)
mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio") = 0
umount2("/syzcgroup/net", 0)            = 0
mount("none", "/syzcgroup/net", "cgroup", 0, "devices") = 0
umount2("/syzcgroup/net", 0)            = 0
mount("none", "/syzcgroup/net", "cgroup", 0, "blkio") = 0
umount2("/syzcgroup/net", 0)            = 0
mount("none", "/syzcgroup/net", "cgroup", 0, "freezer") = 0
umount2("/syzcgroup/net", 0)            = 0
mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,devices,blkio,freezer") = ? ERESTARTNOINTR (To be restarted)
syzkaller login: [   42.361786][ T3611] cgroup: Unknown subsys name 'net'
mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,devices,blkio,freezer") = ? ERESTARTNOINTR (To be restarted)
mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,devices,blkio,freezer") = ? ERESTARTNOINTR (To be restarted)
mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,devices,blkio,freezer") = 0
chmod("/syzcgroup/net", 0777)           = 0
mkdir("/syzcgroup/cpu", 0777)           = 0
mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset") = 0
umount2("/syzcgroup/cpu", 0)            = 0
mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuacct") = 0
umount2("/syzcgroup/cpu", 0)            = 0
mount("none", "/syzcgroup/cpu", "cgroup", 0, "hugetlb") = 0
umount2("/syzcgroup/cpu", 0)            = 0
mount("none", "/syzcgroup/cpu", "cgroup", 0, "rlimit") = -1 EINVAL (Invalid argument)
mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,hugetlb") = ? ERESTARTNOINTR (To be restarted)
[   42.490265][ T3611] cgroup: Unknown subsys name 'rlimit'
mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,hugetlb") = ? ERESTARTNOINTR (To be restarted)
mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,hugetlb") = 0
chmod("/syzcgroup/cpu", 0777)           = 0
openat(AT_FDCWD, "/syzcgroup/cpu/cgroup.clone_children", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/syzcgroup/cpu/cpuset.memory_pressure_enabled", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
getpid()                                = 3611
mkdir("./syzkaller.0KPZ3f", 0700)       = 0
chmod("./syzkaller.0KPZ3f", 0777)       = 0
chdir("./syzkaller.0KPZ3f")             = 0
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3612 attached
, child_tidptr=0x5555556305d0) = 3612
[pid  3612] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  3612] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3612] setsid()                    = 1
[pid  3612] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  3612] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  3612] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  3612] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  3612] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  3612] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  3612] unshare(CLONE_NEWNS)        = 0
[pid  3612] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  3612] unshare(CLONE_NEWIPC)       = 0
[pid  3612] unshare(CLONE_NEWCGROUP)    = 0
[pid  3612] unshare(CLONE_NEWUTS)       = 0
[pid  3612] unshare(CLONE_SYSVSEM)      = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "16777216", 8)     = 8
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "536870912", 9)    = 9
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1024", 4)         = 4
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "8192", 4)         = 4
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1024", 4)         = 4
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1024", 4)         = 4
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1024 1048576 500 1024", 21) = 21
[pid  3612] close(3)                    = 0
[pid  3612] getpid()                    = 1
[pid  3612] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3612] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3612] unshare(CLONE_NEWNET)       = 0
[pid  3612] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "0 65535", 7)      = 7
[pid  3612] close(3)                    = 0
[pid  3612] mkdir("/dev/binderfs", 0777) = 0
[pid  3612] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  3612] getpid()                    = 1
[pid  3612] mkdir("/syzcgroup/unified/syz0", 0777) = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/unified/syz0/pids.max", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "32", 2)           = 2
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/unified/syz0/memory.low", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "312475648", 9)    = 9
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/unified/syz0/memory.high", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "313524224", 9)    = 9
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/unified/syz0/memory.max", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "314572800", 9)    = 9
[pid  3612] close(3)                    = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/unified/syz0/cgroup.procs", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1", 1)            = 1
[pid  3612] close(3)                    = 0
[pid  3612] mkdir("/syzcgroup/cpu/syz0", 0777) = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/cpu/syz0/cgroup.procs", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1", 1)            = 1
[pid  3612] close(3)                    = 0
[pid  3612] mkdir("/syzcgroup/net/syz0", 0777) = 0
[pid  3612] openat(AT_FDCWD, "/syzcgroup/net/syz0/cgroup.procs", O_WRONLY|O_CLOEXEC) = 3
[pid  3612] write(3, "1", 1)            = 1
[pid  3612] close(3)                    = 0
[pid  3612] mkdir("./0", 0777)          = 0
[pid  3612] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556305d0) = 2
./strace-static-x86_64: Process 3613 attached
[pid  3613] chdir("./0")                = 0
[pid  3613] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3613] setpgid(0, 0)               = 0
[pid  3613] symlink("/syzcgroup/unified/syz0", "./cgroup") = 0
[pid  3613] symlink("/syzcgroup/cpu/syz0", "./cgroup.cpu") = 0
[pid  3613] symlink("/syzcgroup/net/syz0", "./cgroup.net") = 0
[pid  3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3613] write(3, "1000", 4)         = 4
[pid  3613] close(3)                    = 0
[pid  3613] symlink("/dev/binderfs", "./binderfs") = 0
[pid  3613] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3
[pid  3613] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000100) = 0
[pid  3613] mmap(0x20ffc000, 12328, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100000000) = -1 ENOMEM (Cannot allocate memory)
[   44.192892][ T3613] ==================================================================
[   44.200989][ T3613] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xa1/0xb0
[   44.209313][ T3613] Read of size 8 at addr ffff8880779a89e8 by task syz-executor213/3613
[   44.217531][ T3613] 
[   44.219867][ T3613] CPU: 0 PID: 3613 Comm: syz-executor213 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
[   44.230256][ T3613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   44.240293][ T3613] Call Trace:
[   44.243554][ T3613]  <TASK>
[   44.246470][ T3613]  dump_stack_lvl+0xcd/0x134
[   44.251056][ T3613]  print_report+0x15e/0x45d
[   44.255548][ T3613]  ? __phys_addr+0xc4/0x140
[   44.260037][ T3613]  ? drm_gem_object_release_handle+0xa1/0xb0
[   44.266009][ T3613]  kasan_report+0xbb/0x1f0
[   44.270414][ T3613]  ? drm_gem_object_release_handle+0xa1/0xb0
[   44.276385][ T3613]  drm_gem_object_release_handle+0xa1/0xb0
[   44.282184][ T3613]  ? drm_gem_object_handle_put_unlocked+0x390/0x390
[   44.288764][ T3613]  idr_for_each+0x113/0x220
[   44.293258][ T3613]  ? idr_find+0x50/0x50
[   44.297400][ T3613]  ? rwlock_bug.part.0+0x90/0x90
[   44.302322][ T3613]  ? wait_for_completion_io_timeout+0x20/0x20
[   44.308376][ T3613]  ? lock_acquire+0x4fc/0x630
[   44.313036][ T3613]  drm_gem_release+0x22/0x30
[   44.317617][ T3613]  drm_file_free+0x7bb/0xb90
[   44.322194][ T3613]  ? drm_close_helper.isra.0+0x16b/0x1e0
[   44.327815][ T3613]  drm_release+0x1a6/0x4d0
[   44.332235][ T3613]  __fput+0x27c/0xa90
[   44.336200][ T3613]  ? drm_lastclose+0xe0/0xe0
[   44.340782][ T3613]  task_work_run+0x16b/0x270
[   44.345361][ T3613]  ? task_work_cancel+0x30/0x30
[   44.351939][ T3613]  ? do_raw_spin_lock+0x120/0x2a0
[   44.356951][ T3613]  ptrace_notify+0x114/0x140
[   44.361530][ T3613]  syscall_exit_to_user_mode_prepare+0x129/0x280
[   44.367848][ T3613]  syscall_exit_to_user_mode+0x9/0x50
[   44.373206][ T3613]  do_syscall_64+0x42/0xb0
[   44.377613][ T3613]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   44.383493][ T3613] RIP: 0033:0x7f06220eff53
[   44.387891][ T3613] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
[   44.407480][ T3613] RSP: 002b:00007ffff79d9238 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   44.415873][ T3613] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f06220eff53
[   44.423913][ T3613] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[   44.431864][ T3613] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000100000000
[   44.439829][ T3613] R10: 0000000000000012 R11: 0000000000000246 R12: 00007ffff79d925c
[   44.447796][ T3613] R13: 00007ffff79d9270 R14: 00007ffff79d92b0 R15: 0000000000000000
[   44.455767][ T3613]  </TASK>
[   44.458774][ T3613] 
[   44.461081][ T3613] Allocated by task 3613:
[   44.465385][ T3613]  kasan_save_stack+0x1e/0x40
[   44.470055][ T3613]  kasan_set_track+0x21/0x30
[   44.474630][ T3613]  __kasan_kmalloc+0xa1/0xb0
[   44.479208][ T3613]  vgem_gem_create_object+0x38/0xb0
[   44.484398][ T3613]  __drm_gem_shmem_create+0x80/0x480
[   44.489665][ T3613]  drm_gem_shmem_dumb_create+0x13c/0x380
[   44.495281][ T3613]  drm_mode_create_dumb+0x26c/0x2f0
[   44.500464][ T3613]  drm_ioctl_kernel+0x27d/0x4e0
[   44.505296][ T3613]  drm_ioctl+0x3e2/0xa30
[   44.509523][ T3613]  __x64_sys_ioctl+0x193/0x200
[   44.514275][ T3613]  do_syscall_64+0x35/0xb0
[   44.518678][ T3613]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   44.524558][ T3613] 
[   44.526879][ T3613] Freed by task 3613:
[   44.530836][ T3613]  kasan_save_stack+0x1e/0x40
[   44.535504][ T3613]  kasan_set_track+0x21/0x30
[   44.540082][ T3613]  kasan_save_free_info+0x2a/0x40
[   44.545085][ T3613]  ____kasan_slab_free+0x160/0x1c0
[   44.550185][ T3613]  slab_free_freelist_hook+0x8b/0x1c0
[   44.555541][ T3613]  __kmem_cache_free+0xab/0x3b0
[   44.560382][ T3613]  drm_gem_mmap+0x4f6/0x770
[   44.564877][ T3613]  mmap_region+0x6bf/0x1c00
[   44.569375][ T3613]  do_mmap+0x825/0xf50
[   44.573434][ T3613]  vm_mmap_pgoff+0x1ab/0x270
[   44.578006][ T3613]  ksys_mmap_pgoff+0x41b/0x5a0
[   44.582757][ T3613]  do_syscall_64+0x35/0xb0
[   44.587162][ T3613]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   44.593041][ T3613] 
[   44.595363][ T3613] The buggy address belongs to the object at ffff8880779a8800
[   44.595363][ T3613]  which belongs to the cache kmalloc-1k of size 1024
[   44.609400][ T3613] The buggy address is located 488 bytes inside of
[   44.609400][ T3613]  1024-byte region [ffff8880779a8800, ffff8880779a8c00)
[   44.622739][ T3613] 
[   44.625045][ T3613] The buggy address belongs to the physical page:
[   44.631439][ T3613] page:ffffea0001de6a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x779a8
[   44.641576][ T3613] head:ffffea0001de6a00 order:3 compound_mapcount:0 compound_pincount:0
[   44.649876][ T3613] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   44.657843][ T3613] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011841dc0
[   44.666407][ T3613] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   44.674963][ T3613] page dumped because: kasan: bad access detected
[   44.681349][ T3613] page_owner tracks the page as allocated
[   44.687039][ T3613] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3612, tgid 3612 (syz-executor213), ts 42629407432, free_ts 37326106700
[   44.710033][ T3613]  get_page_from_freelist+0x10b5/0x2d50
[   44.715565][ T3613]  __alloc_pages+0x1c7/0x5a0
[   44.720144][ T3613]  allocate_slab+0x80/0x300
[   44.724640][ T3613]  ___slab_alloc+0xa91/0x1400
[   44.729303][ T3613]  __slab_alloc.constprop.0+0x56/0xa0
[   44.734665][ T3613]  __kmem_cache_alloc_node+0x191/0x3e0
[   44.740116][ T3613]  __kmalloc_node+0x47/0xc0
[   44.744609][ T3613]  memcg_alloc_slab_cgroups+0x8b/0x140
[   44.750062][ T3613]  memcg_slab_post_alloc_hook+0xaa/0x480
[   44.755692][ T3613]  __kmem_cache_alloc_node+0x1df/0x3e0
[   44.761154][ T3613]  __kmalloc+0x44/0xc0
[   44.765213][ T3613]  security_prepare_creds+0x10e/0x190
[   44.770572][ T3613]  prepare_creds+0x56e/0x7b0
[   44.775159][ T3613]  copy_creds+0xa3/0xd40
[   44.779393][ T3613]  copy_process+0xfbb/0x7190
[   44.783973][ T3613]  kernel_clone+0xe7/0x980
[   44.788375][ T3613] page last free stack trace:
[   44.793034][ T3613]  free_pcp_prepare+0x65c/0xd90
[   44.797886][ T3613]  free_unref_page+0x19/0x4d0
[   44.802550][ T3613]  __unfreeze_partials+0x17c/0x1a0
[   44.807653][ T3613]  qlist_free_all+0x6a/0x170
[   44.812230][ T3613]  kasan_quarantine_reduce+0x180/0x200
[   44.817683][ T3613]  __kasan_slab_alloc+0x62/0x80
[   44.822625][ T3613]  kmem_cache_alloc_node+0x1be/0x400
[   44.827904][ T3613]  __alloc_skb+0x210/0x2f0
[   44.832323][ T3613]  alloc_skb_with_frags+0x93/0x6c0
[   44.837423][ T3613]  sock_alloc_send_pskb+0x7a3/0x930
[   44.842615][ T3613]  unix_dgram_sendmsg+0x415/0x1b50
[   44.847715][ T3613]  sock_sendmsg+0xcf/0x120
[   44.852126][ T3613]  sock_write_iter+0x291/0x3d0
[   44.856883][ T3613]  vfs_write+0x9e9/0xdd0
[   44.861126][ T3613]  ksys_write+0x1e8/0x250
[   44.865449][ T3613]  do_syscall_64+0x35/0xb0
[   44.869863][ T3613] 
[   44.872173][ T3613] Memory state around the buggy address:
[   44.877786][ T3613]  ffff8880779a8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.885830][ T3613]  ffff8880779a8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.893875][ T3613] >ffff8880779a8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.901914][ T3613]                                                           ^
[   44.909347][ T3613]  ffff8880779a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.917387][ T3613]  ffff8880779a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.925440][ T3613] ==================================================================
[   44.937297][ T3613] Kernel panic - not syncing: panic_on_warn set ...
[   44.943904][ T3613] CPU: 1 PID: 3613 Comm: syz-executor213 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
[   44.954318][ T3613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   44.964404][ T3613] Call Trace:
[   44.967686][ T3613]  <TASK>
[   44.970614][ T3613]  dump_stack_lvl+0xcd/0x134
[   44.975308][ T3613]  panic+0x2c8/0x622
[   44.979227][ T3613]  ? panic_print_sys_info.part.0+0x110/0x110
[   44.985239][ T3613]  ? preempt_schedule_common+0x59/0xc0
[   44.990715][ T3613]  ? preempt_schedule_thunk+0x16/0x18
[   44.996101][ T3613]  end_report.part.0+0x3f/0x7c
[   45.000867][ T3613]  ? drm_gem_object_release_handle+0xa1/0xb0
[   45.006859][ T3613]  kasan_report.cold+0xa/0xf
[   45.011457][ T3613]  ? drm_gem_object_release_handle+0xa1/0xb0
[   45.017457][ T3613]  drm_gem_object_release_handle+0xa1/0xb0
[   45.023280][ T3613]  ? drm_gem_object_handle_put_unlocked+0x390/0x390
[   45.029895][ T3613]  idr_for_each+0x113/0x220
[   45.034413][ T3613]  ? idr_find+0x50/0x50
[   45.038581][ T3613]  ? rwlock_bug.part.0+0x90/0x90
[   45.043525][ T3613]  ? wait_for_completion_io_timeout+0x20/0x20
[   45.049596][ T3613]  ? lock_acquire+0x4fc/0x630
[   45.054275][ T3613]  drm_gem_release+0x22/0x30
[   45.058882][ T3613]  drm_file_free+0x7bb/0xb90
[   45.063485][ T3613]  ? drm_close_helper.isra.0+0x16b/0x1e0
[   45.069133][ T3613]  drm_release+0x1a6/0x4d0
[   45.073569][ T3613]  __fput+0x27c/0xa90
[   45.077549][ T3613]  ? drm_lastclose+0xe0/0xe0
[   45.082153][ T3613]  task_work_run+0x16b/0x270
[   45.086759][ T3613]  ? task_work_cancel+0x30/0x30
[   45.091634][ T3613]  ? do_raw_spin_lock+0x120/0x2a0
[   45.096666][ T3613]  ptrace_notify+0x114/0x140
[   45.101260][ T3613]  syscall_exit_to_user_mode_prepare+0x129/0x280
[   45.107594][ T3613]  syscall_exit_to_user_mode+0x9/0x50
[   45.112976][ T3613]  do_syscall_64+0x42/0xb0
[   45.117405][ T3613]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   45.123310][ T3613] RIP: 0033:0x7f06220eff53
[   45.127726][ T3613] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
[   45.147335][ T3613] RSP: 002b:00007ffff79d9238 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   45.155746][ T3613] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f06220eff53
[   45.163714][ T3613] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[   45.171680][ T3613] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000100000000
[   45.179650][ T3613] R10: 0000000000000012 R11: 0000000000000246 R12: 00007ffff79d925c
[   45.187618][ T3613] R13: 00007ffff79d9270 R14: 00007ffff79d92b0 R15: 0000000000000000
[   45.195592][ T3613]  </TASK>
[   45.198670][ T3613] Kernel Offset: disabled
[   45.202989][ T3613] Rebooting in 86400 seconds..